An Insider’s Guide to Using WMI Events and PowerShell

Microsoft Scripting Guy, Ed Wilson, is here. Tickets for the Jacksonville IT Pro Camp are rapidly disappearing. If you are anywhere near Jacksonville, Florida on June 16, 2012, you definitely check it out. There are sessions about Windows PowerShell Best Practices, Windows PowerShell Remoting, and general Windows PowerShell admin. Not to mention sessions about Hyper_V, SharePoint, SQL Server, Team Foundation Server, and more. It will be an awesome opportunity to learn from some of the best people in the field. The presenters are Microsoft MVPs, Microsoft PFEs, community leaders, and of course, the Microsoft Scripting Guy.

Today, I want to look at the Hey, Scripting Guy! Blog posts that discuss WMI eventing.

All about WMI eventing

There are two types of WMI events: temporary event consumers and permanent event consumers. The temporary event consumers are events that you set up that will last until you exit the script. A good way to use a temporary event consumer is to start a script that watches something, make a change that changes what is being watched, and then when the event fires, you capture the event and do whatever you wanted to do. Permanent event consumers are written to the WMI repository, survive reboots, and run inside the WMI processes on your computer. There is no script to close, so they run as if they were services. These are used by SCOM and other applications. They are pretty complex, but they are not beyond the realm of people who are experienced in scripting and the use of WMI.

I have been writing about WMI eventing since back in the VBScript days. (In fact, I have an entire chapter about it in my WMI book). I have posts on the Hey, Scripting Guy! Blog from Windows PowerShell 1.0 days. These blogs are not necessarily obsolete because they talk about the underlying eventing .NET Framework classes. In addition, they illustrate the use of generic WMI event classes (the query is the same in Windows PowerShell 2.0 and Windows PowerShell 3.0).

There are two types of WMI event classes: implicit and generic. An implicit event class is really easy to use in Windows PowerShell 2.0 because the class already knows how to do events. A generic WMI event class is more difficult to use because the query is more complex. The nice thing is that the query is basically the same in Windows PowerShell and in VBScript, so you have tons of resources for these types of queries.

Temporary WMI event consumers

All of the following blogs talk about working with temporary WMI event consumers. These are typically set up to monitor a specific item, or items, for only a short period of time.

Using generic WMI classes

How Can I Be Notified When a Process Begins? In this blog, I talk about using a generic WMI class, __InstanceCreationEvent, to monitor for a new process to begin. The blog was written in Windows PowerShell 1.0. It is valuable because I discuss the objects that are involved and show how to create a query by using a generic WMI event class. Please note that there is a Win32_ProcessStartTrace WMI class that makes it easier to monitor for a process to begin. The real value of the blog is in showing how to query a generic class.

How Do I Display a Message and the Time a Process Was Terminated? This blog also uses a generic WMI class, __InstanceDeletionEvent, to monitor when a process goes away. Again, this blog is written in Windows PowerShell 1.0, so you will not need to manually create the EventWatcher class. In addition, there is a Win32_ProcessStopTrace WMI class that is an intrinsic event class. The value is in working with the generic WMI class.

How Can I Back Up a Database’s Data Folder While the Database Is Running? This is an interesting post. It also uses a generic WMI event class, _InstanceModificationEvent. The query is very useful, as is the discussion of the technique actually involved. The technique illustrates doing something that is not easily accomplished via other methods. The script could be simplified by updating to Windows PowerShell 2.0, but this blog is still good.

Overview of writing an event driven script

How Can I Write an Event-Driven Script? This post uses the Register-WmiEvent cmdlet that was introduced in Windows PowerShell 2.0. This blog illustrates the steps involved in writing an event-driven script, and it is a great introduction to the topic.

Specific application useful examples

There are several Hey, Scripting Guy! Blog posts that illustrate using temporary event consumers in a variety of ways. These are intended as “food for thought” types of blogs, and not as specific monitoring solutions.

Can I Be Informed When a Portable Drive Is Added by My Computer? This blog illustrates using the Register-WmiEvent and the Get_Event cmdlets. A temporary event consumer is created that monitors for plugging a USB drive into a computer. The script could be the basis of a more involved script, and the action you decide to take when the drive is inserted or removed is up to you. There are a number of great tips and tricks in this blog.

Can I Format a Portable Drive When It Is Inserted Into a Computer? This blog builds on the previous blog, and it contains a number of extremely useful functions, such as the Test-IsAdministrator function that I wrote for the Windows 7 Resource Kit (admin rights are required to format a drive). The script associated with this blog is quite extensive, and this blog illustrates a number of tips and tricks for working with temporary WMI event consumers.

Can I Start an Event Based on When a Registry Value Is Changed? This blog uses the RegistryValueChangeEvent WMI class to monitor a specific registry key and generate an event when a change takes place. The script also uses the Register-WmiEvent and the Wait-Event cmdlets that were introduced in Windows PowerShell 2.0. This is a great technique when you want to take an action when something in the registry changes. There is also a discussion about the other RegistryEvent WMI classes, and it includes a helpful table to let you know which class you might need.

WMI permanent event consumers

I have five blogs that discuss working with WMI permanent event consumers. The first two are foundational in that I discuss the technology and the parts that are involved in working with event consumers. The last three blogs were written by Trevor Sullivan, and he discusses a module he wrote to make working with permanent event consumers a bit easier.

Learn How to Use VBScript to Create Permanent WMI Events This blog began the Permanent Event Consumer Week. It is foundational, and should be read because it explains the different pieces: the consumer, the event filter, and the filter to consumer binding. You should review this blog carefully if you want to work with WMI permanent event consumers.

Use PowerShell to Monitor and Respond to Events on Your Server The series continues by discussing the different consumer classes. The blog has two extremely powerful scripts: the first script creates a permanent event consumer, the second script reports on permanent event consumers. The blog also illustrates how to remove the event consumers and event filters. The cmdlets used in this blog are Remove-WmiObject and Set-WmiInstance.

Monitor and Respond to Windows Power Events with PowerShell In this blog, Trevor talks about using the Win32_PowermanagementEvent intrinsic eventing class and creating a permanent event consumer by using the PowerEvents module. If you do not have the module, you could modify the script in Use PowerShell to Monitor and Respond to Events on Your Server, but it will be more work, and the PowerEvents module works great.

These are the main Hey, Scripting Guy! Blog posts that discuss working with WMI events. I did not review a few others (for examples entries from the Scripting Games) here. To see all the blogs that come up about WMI events, simply click this tag cloud. Join me tomorrow when I will talk about more Windows PowerShell coolness.